From: tb Date: Sun, 30 Apr 2023 14:49:47 +0000 (+0000) Subject: The policy tree is no more X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=9a4df245ae10d25374b7ffe81e1f70d7d43655be;p=openbsd The policy tree is no more Mop up documentation mentioning it or any of its numerous accessors that almost nothing ever used. --- diff --git a/lib/libcrypto/man/Makefile b/lib/libcrypto/man/Makefile index 3616c157d3d..fc3204e3a2c 100644 --- a/lib/libcrypto/man/Makefile +++ b/lib/libcrypto/man/Makefile @@ -1,4 +1,4 @@ -# $OpenBSD: Makefile,v 1.248 2023/04/27 09:43:55 tb Exp $ +# $OpenBSD: Makefile,v 1.249 2023/04/30 14:49:47 tb Exp $ .include @@ -377,9 +377,6 @@ MAN= \ X509_load_cert_file.3 \ X509_new.3 \ X509_ocspid_print.3 \ - X509_policy_check.3 \ - X509_policy_tree_get0_policies.3 \ - X509_policy_tree_level_count.3 \ X509_print_ex.3 \ X509_sign.3 \ X509_signature_dump.3 \ diff --git a/lib/libcrypto/man/X509_STORE_CTX_get_error.3 b/lib/libcrypto/man/X509_STORE_CTX_get_error.3 index 30e40247361..b3d0ee3069d 100644 --- a/lib/libcrypto/man/X509_STORE_CTX_get_error.3 +++ b/lib/libcrypto/man/X509_STORE_CTX_get_error.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: X509_STORE_CTX_get_error.3,v 1.26 2023/04/21 06:45:56 tb Exp $ +.\" $OpenBSD: X509_STORE_CTX_get_error.3,v 1.27 2023/04/30 14:49:47 tb Exp $ .\" full merge up to: .\" OpenSSL man3/X509_STORE_CTX_get_error 24a535ea Sep 22 13:14:20 2020 +0100 .\" OpenSSL man3/X509_STORE_CTX_new 24a535ea Sep 22 13:14:20 2020 +0100 @@ -68,7 +68,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: April 21 2023 $ +.Dd $Mdocdate: April 30 2023 $ .Dt X509_STORE_CTX_GET_ERROR 3 .Os .Sh NAME @@ -86,8 +86,6 @@ .Nm X509_STORE_CTX_get_chain , .Nm X509_STORE_CTX_get1_chain , .Nm X509_STORE_CTX_set0_verified_chain , -.Nm X509_STORE_CTX_get0_policy_tree , -.Nm X509_STORE_CTX_get_explicit_policy , .Nm X509_verify_cert_error_string .Nd get or set certificate verification status information .Sh SYNOPSIS @@ -152,14 +150,6 @@ .Fa "X509_STORE_CTX *ctx" .Fa "STACK_OF(X509) *chain" .Fc -.Ft X509_POLICY_TREE * -.Fo X509_STORE_CTX_get0_policy_tree -.Fa "X509_STORE_CTX *ctx" -.Fc -.Ft int -.Fo X509_STORE_CTX_get_explicit_policy -.Fa "X509_STORE_CTX *ctx" -.Fc .In openssl/x509.h .Ft const char * .Fo X509_verify_cert_error_string @@ -337,24 +327,6 @@ return a pointer to a stack of certificates or .Dv NULL if an error occurs. .Pp -.Fn X509_STORE_CTX_get0_policy_tree -returns an internal pointer to the -.Fa valid_policy_tree -created by -.Xr X509_policy_check 3 -or -.Dv NULL -if validation failed or the resulting tree was empty. -.Pp -.Fn X509_STORE_CTX_get_explicit_policy -returns the -.Pf * Fa pexplicit_policy -output argument of -.Xr X509_policy_check 3 . -If validation succeeded, it is 1 if -.Dv X509_V_FLAG_EXPLICIT_POLICY -was requested or 0 otherwise. -.Pp .Fn X509_verify_cert_error_string returns a human readable error string for verification error .Fa n . @@ -576,8 +548,6 @@ This will never be returned unless explicitly set by an application. .\" No CA signature digest algorithm too weak .El .Sh SEE ALSO -.Xr X509_policy_check 3 , -.Xr X509_policy_tree_level_count 3 , .Xr X509_STORE_CTX_new 3 , .Xr X509_STORE_CTX_set_verify 3 , .Xr X509_STORE_CTX_set_verify_cb 3 , @@ -599,12 +569,6 @@ first appeared in SSLeay 0.8.0 and have been available since first appeared in OpenSSL 0.9.5 and has been available since .Ox 2.7 . .Pp -.Fn X509_STORE_CTX_get0_policy_tree -and -.Fn X509_STORE_CTX_get_explicit_policy -first appeared in OpenSSL 0.9.8 and have been available since -.Ox 4.5 . -.Pp .Fn X509_STORE_CTX_get0_current_issuer , .Fn X509_STORE_CTX_get0_current_crl , and diff --git a/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3 b/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3 index 08961eb4d3e..65e20f1ad8c 100644 --- a/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3 +++ b/lib/libcrypto/man/X509_VERIFY_PARAM_set_flags.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: X509_VERIFY_PARAM_set_flags.3,v 1.27 2022/12/01 05:33:55 tb Exp $ +.\" $OpenBSD: X509_VERIFY_PARAM_set_flags.3,v 1.28 2023/04/30 14:49:47 tb Exp $ .\" full merge up to: OpenSSL d33def66 Feb 9 14:17:13 2016 -0500 .\" selective merge up to: OpenSSL 24a535ea Sep 22 13:14:20 2020 +0100 .\" @@ -68,7 +68,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: December 1 2022 $ +.Dd $Mdocdate: April 30 2023 $ .Dt X509_VERIFY_PARAM_SET_FLAGS 3 .Os .Sh NAME @@ -566,8 +566,6 @@ If .Dv X509_V_FLAG_NOTIFY_POLICY is set and policy checking is successful, a special status code is sent to the verification callback. -This permits it to examine the valid policy tree and perform additional -checks or simply log it for debugging purposes. .Pp By default some additional features such as indirect CRLs and CRLs signed by different keys are disabled. diff --git a/lib/libcrypto/man/X509_check_purpose.3 b/lib/libcrypto/man/X509_check_purpose.3 index 611697fa30a..63560811370 100644 --- a/lib/libcrypto/man/X509_check_purpose.3 +++ b/lib/libcrypto/man/X509_check_purpose.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: X509_check_purpose.3,v 1.9 2022/12/17 12:48:53 tb Exp $ +.\" $OpenBSD: X509_check_purpose.3,v 1.10 2023/04/30 14:49:47 tb Exp $ .\" .\" Copyright (c) 2019, 2021 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: December 17 2022 $ +.Dd $Mdocdate: April 30 2023 $ .Dt X509_CHECK_PURPOSE 3 .Os .Sh NAME @@ -412,7 +412,6 @@ can be used as a CA for the .Xr EXTENDED_KEY_USAGE_new 3 , .Xr X509_check_trust 3 , .Xr X509_new 3 , -.Xr X509_policy_check 3 , .Xr X509_PURPOSE_set 3 , .Xr X509V3_get_d2i 3 , .Xr x509v3.cnf 5 diff --git a/lib/libcrypto/man/X509_check_trust.3 b/lib/libcrypto/man/X509_check_trust.3 index be4489e9465..0f02a1b1ef2 100644 --- a/lib/libcrypto/man/X509_check_trust.3 +++ b/lib/libcrypto/man/X509_check_trust.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: X509_check_trust.3,v 1.7 2022/12/26 07:18:52 jmc Exp $ +.\" $OpenBSD: X509_check_trust.3,v 1.8 2023/04/30 14:49:47 tb Exp $ .\" .\" Copyright (c) 2021 Ingo Schwarze .\" @@ -14,7 +14,7 @@ .\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF .\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. .\" -.Dd $Mdocdate: December 26 2022 $ +.Dd $Mdocdate: April 30 2023 $ .Dt X509_CHECK_TRUST 3 .Os .Sh NAME @@ -238,7 +238,6 @@ was never called before. .Xr X509_CERT_AUX_new 3 , .Xr X509_check_purpose 3 , .Xr X509_new 3 , -.Xr X509_policy_check 3 , .Xr X509_TRUST_set 3 , .Xr X509_VERIFY_PARAM_set_trust 3 .Sh HISTORY diff --git a/lib/libcrypto/man/X509_new.3 b/lib/libcrypto/man/X509_new.3 index 4b85f67eb07..c38dfc00b1b 100644 --- a/lib/libcrypto/man/X509_new.3 +++ b/lib/libcrypto/man/X509_new.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: X509_new.3,v 1.36 2021/11/18 10:09:24 schwarze Exp $ +.\" $OpenBSD: X509_new.3,v 1.37 2023/04/30 14:49:47 tb Exp $ .\" full merge up to: OpenSSL 99d63d46 Oct 26 13:56:48 2016 -0400 .\" .\" This file is a derived work. @@ -66,7 +66,7 @@ .\" ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED .\" OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.Dd $Mdocdate: November 18 2021 $ +.Dd $Mdocdate: April 30 2023 $ .Dt X509_NEW 3 .Os .Sh NAME @@ -229,8 +229,6 @@ if an error occurs. .Xr X509_NAME_new 3 , .Xr X509_OBJECT_new 3 , .Xr X509_PKEY_new 3 , -.Xr X509_policy_check 3 , -.Xr X509_policy_tree_level_count 3 , .Xr X509_print_ex 3 , .Xr X509_PUBKEY_new 3 , .Xr X509_PURPOSE_set 3 , diff --git a/lib/libcrypto/man/X509_policy_check.3 b/lib/libcrypto/man/X509_policy_check.3 deleted file mode 100644 index 5ea774a3eff..00000000000 --- a/lib/libcrypto/man/X509_policy_check.3 +++ /dev/null @@ -1,192 +0,0 @@ -.\" $OpenBSD: X509_policy_check.3,v 1.6 2021/11/11 12:06:25 schwarze Exp $ -.\" -.\" Copyright (c) 2021 Ingo Schwarze -.\" -.\" Permission to use, copy, modify, and distribute this software for any -.\" purpose with or without fee is hereby granted, provided that the above -.\" copyright notice and this permission notice appear in all copies. -.\" -.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.\" -.Dd $Mdocdate: November 11 2021 $ -.Dt X509_POLICY_CHECK 3 -.Os -.Sh NAME -.Nm X509_policy_check , -.Nm X509_policy_tree_free -.Nd construct X.509 valid policy tree -.Sh SYNOPSIS -.In openssl/x509_vfy.h -.Ft int -.Fo X509_policy_check -.Fa "X509_POLICY_TREE **ptree" -.Fa "int *pexplicit_policy" -.Fa "STACK_OF(X509) *certs" -.Fa "STACK_OF(ASN1_OBJECT) *policy_oids" -.Fa "unsigned int flags" -.Fc -.Ft void -.Fn X509_policy_tree_free "X509_POLICY_TREE *tree" -.Sh DESCRIPTION -.Fn X509_policy_check -performs those parts of Basic Certification Path Validation -described in RFC 5280 section 6.1 that are related to the -construction of the valid policy tree. -.Pp -The -.Fa certs -input argument contains the prospective certification path -according to RFC 5280 paragraph 6.1.1(a), starting with the -target certificate and ending with the trust anchor. -.Pp -The -.Fa policy_oids -input argument contains the -.Va user-initial-policy-set -according to RFC 5280 section 6.1.1(c). -It specifies a set of certificate policies acceptable to the certificate user. -.Pp -The -.Fa flags -argument can contain zero or more of the following constants, OR'ed together: -.Bl -tag -width Ds -.It Dv X509_V_FLAG_EXPLICIT_POLICY -Set -.Va initial-explicit-policy -as defined by RFC 5280 paragraph 6.1.1(f). -It requires the path to be valid for at least one of the -.Fa policy_oids . -.It Dv X509_V_FLAG_INHIBIT_ANY -Set -.Va initial-any-policy-inhibit -as defined by RFC 5280 paragraph 6.1.1(g). -It causes the -.Sy anyPolicy -OID to be skipped if it is encountered in a certificate. -.It Dv X509_V_FLAG_INHIBIT_MAP -Set -.Va initial-policy-mapping-inhibit -as defined by RFC 5280 paragraph 6.1.1(e). -It disables policy mapping in the certification path. -.El -.Pp -Upon success and in some cases of failure, the storage location pointed to by -.Fa pexplicit_policy -is set to 1 if -.Dv X509_V_FLAG_EXPLICIT_POLICY -was requested. -Otherwise, it is set to 0. -.Pp -In many cases of success and in a few cases of failure, a pointer to the -.Vt valid_policy_tree -output value mentioned in RFC 5280 section 6.1.6 is returned in -.Pf * Fa ptree . -It contains one level for each of the -.Fa certs , -in reverse order: level 0 corresponds to the trust anchor, -the last level corresponds to the target certificate. -Level 0 is initialized to contain a single node with a -.Fa valid_policy -of -.Sy anyPolicy -and an empty -.Fa qualifier_set . -.Pp -If a policy tree is returned, the reference count of each of the -.Fa certs -is incremented by 1. -In that case, the caller is responsible for calling -.Fn X509_policy_tree_free -to release all memory used by the -.Fa tree -and to decrement the reference counts -of the certificates referenced from it by 1. -If -.Fa tree -is a -.Dv NULL -pointer, -.Fn X509_policy_tree_free -has no effect. -.Sh RETURN VALUES -.Fn X509_policy_check -returns these values: -.Bl -tag -width 2n -.It \-2 -Validation failed because -.Dv X509_V_FLAG_EXPLICIT_POLICY -was requested but the resulting policy tree -or the resulting user policy set would have been empty. -In this case, -.Pf * Fa pexplicit_policy -is set to 1. -If the resulting tree is empty, -.Pf * Fa ptree -is set to -.Dv NULL ; -otherwise, it is set to the resulting tree. -.It \-1 -At least one of the -.Fa certs -contains invalid or inconsistent extensions. -.Pf * Fa ptree -is set to -.Dv NULL -and -.Pf * Fa pexplicit_policy -to 0. -.It 0 -Internal error. -For example, setting up the policy caches failed, or memory allocation -failed while constructing the tree. -.Pf * Fa ptree -is set to -.Dv NULL -and -.Pf * Fa pexplicit_policy -may or may not be set. -.It 1 -Validation succeeded and -.Pf * Fa ptree -and -.Pf * Fa pexplicit_policy -have been set. -In the special cases that the -.Fa certs -argument contains exactly one certificate or that -.Dv X509_V_FLAG_EXPLICIT_POLICY -was not requested and at least one of the certificates contains no -certificate policies or the resulting policy tree would have been empty, -.Pf * Fa ptree -is set to -.Dv NULL -and -.Pf * Fa pexplicit_policy -to 0. -.El -.Sh SEE ALSO -.Xr ASN1_OBJECT_new 3 , -.Xr OBJ_nid2obj 3 , -.Xr STACK_OF 3 , -.Xr X509_check_purpose 3 , -.Xr X509_check_trust 3 , -.Xr X509_new 3 , -.Xr X509_policy_tree_get0_policies 3 , -.Xr X509_policy_tree_level_count 3 , -.Xr X509_verify_cert 3 -.Sh STANDARDS -RFC 5280: Internet X.509 Public Key Infrastructure Certificate -and Certificate Revocation List (CRL) Profile, -section 6.1: Basic Path Validation -.Sh HISTORY -.Fn X509_policy_check -and -.Fn X509_policy_tree_free -first appeared in OpenSSL 0.9.8 and have been available since -.Ox 4.5 . diff --git a/lib/libcrypto/man/X509_policy_tree_get0_policies.3 b/lib/libcrypto/man/X509_policy_tree_get0_policies.3 deleted file mode 100644 index cb0715d6cb1..00000000000 --- a/lib/libcrypto/man/X509_policy_tree_get0_policies.3 +++ /dev/null @@ -1,101 +0,0 @@ -.\" $OpenBSD: X509_policy_tree_get0_policies.3,v 1.1 2021/11/11 12:06:25 schwarze Exp $ -.\" -.\" Copyright (c) 2021 Ingo Schwarze -.\" -.\" Permission to use, copy, modify, and distribute this software for any -.\" purpose with or without fee is hereby granted, provided that the above -.\" copyright notice and this permission notice appear in all copies. -.\" -.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.\" -.Dd $Mdocdate: November 11 2021 $ -.Dt X509_POLICY_TREE_GET0_POLICIES 3 -.Os -.Sh NAME -.Nm X509_policy_tree_get0_policies , -.Nm X509_policy_tree_get0_user_policies -.Nd retrieve arrays of policy tree nodes -.Sh SYNOPSIS -.In openssl/x509_vfy.h -.Ft STACK_OF(X509_POLICY_NODE) * -.Fn X509_policy_tree_get0_policies "const X509_POLICY_TREE *tree" -.Ft STACK_OF(X509_POLICY_NODE) * -.Fn X509_policy_tree_get0_user_policies "const X509_POLICY_TREE *tree" -.Sh DESCRIPTION -The -.Em authority set -and the -.Em user set -are arrays of nodes from a policy -.Fa tree . -.Pp -If the last level of a -.Fa tree , -or equivalently, all levels of it, contain an -.Sy anyPolicy -node, the authority set contains -only this anyPolicy node from the last level. -Unless the array of -.Fa policy_oids -passed to -.Xr X509_policy_check 3 -contained an anyPolicy object, -the user set contains one node for each of the -.Fa policy_oids ; -specifically, the first matching node that is a child of an anyPolicy node. -.Pp -If the last level of the -.Fa tree -does not contain an -.Sy anyPolicy -node, the authority set contains -all non-anyPolicy nodes that are children of anyPolicy nodes. -For each element of the -.Fa policy_oids , -the user set contains the first node from the authority set -matching it, if any. -.Pp -These functions are intended to be called after -.Xr X509_policy_check 3 -was called either directly or indirectly through -.Xr X509_verify_cert 3 . -.Sh RETURN VALUES -.Fn X509_policy_tree_get0_policies -returns an internal pointer to the authority set -or -.Dv NULL -if the -.Fa tree -argument is -.Dv NULL . -.Pp -.Fn X509_policy_tree_get0_user_policies -returns an internal pointer to the user set or -.Dv NULL -if the -.Fa tree -argument is -.Dv NULL -or if the array of -.Fa policy_oids -passed to -.Xr X509_policy_check 3 -was empty or contained an anyPolicy object. -.Sh SEE ALSO -.Xr STACK_OF 3 , -.Xr X509_policy_check 3 , -.Xr X509_policy_level_get0_node 3 , -.Xr X509_STORE_CTX_get0_policy_tree 3 -.Sh STANDARDS -RFC 5280: Internet X.509 Public Key Infrastructure Certificate -and Certificate Revocation List (CRL) Profile, -section 6.1: Basic Path Validation -.Sh HISTORY -These function first appeared in OpenSSL 0.9.8 and have been available since -.Ox 4.5 . diff --git a/lib/libcrypto/man/X509_policy_tree_level_count.3 b/lib/libcrypto/man/X509_policy_tree_level_count.3 deleted file mode 100644 index ff2036c40fd..00000000000 --- a/lib/libcrypto/man/X509_policy_tree_level_count.3 +++ /dev/null @@ -1,178 +0,0 @@ -.\" $OpenBSD: X509_policy_tree_level_count.3,v 1.5 2022/09/10 08:50:53 jsg Exp $ -.\" -.\" Copyright (c) 2021 Ingo Schwarze -.\" -.\" Permission to use, copy, modify, and distribute this software for any -.\" purpose with or without fee is hereby granted, provided that the above -.\" copyright notice and this permission notice appear in all copies. -.\" -.\" THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES -.\" WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF -.\" MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR -.\" ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES -.\" WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN -.\" ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF -.\" OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. -.\" -.Dd $Mdocdate: September 10 2022 $ -.Dt X509_POLICY_TREE_LEVEL_COUNT 3 -.Os -.Sh NAME -.Nm X509_policy_tree_level_count , -.Nm X509_policy_tree_get0_level , -.Nm X509_policy_level_node_count , -.Nm X509_policy_level_get0_node , -.Nm X509_policy_node_get0_policy , -.Nm X509_policy_node_get0_qualifiers , -.Nm X509_policy_node_get0_parent -.Nd inspect X.509 policy tree objects -.Sh SYNOPSIS -.In openssl/x509_vfy.h -.Ft int -.Fn X509_policy_tree_level_count "const X509_POLICY_TREE *tree" -.Ft X509_POLICY_LEVEL * -.Fn X509_policy_tree_get0_level "const X509_POLICY_TREE *tree" "int index" -.Ft int -.Fn X509_policy_level_node_count "X509_POLICY_LEVEL *level" -.Ft X509_POLICY_NODE * -.Fn X509_policy_level_get0_node "X509_POLICY_LEVEL *level" "int index" -.Ft const ASN1_OBJECT * -.Fn X509_policy_node_get0_policy "const X509_POLICY_NODE *node" -.Ft STACK_OF(POLICYQUALINFO) * -.Fn X509_policy_node_get0_qualifiers "const X509_POLICY_NODE *node" -.Ft const X509_POLICY_NODE * -.Fn X509_policy_node_get0_parent "const X509_POLICY_NODE *node" -.Sh DESCRIPTION -The -.Vt X509_POLICY_TREE -object represents a -.Vt valid_policy_tree -as described in RFC 5280 section 6.1. -.Pp -The -.Vt X509_POLICY_LEVEL -object represents one level of such a tree, -corresponding to one certificate. -.Pp -The -.Vt X509_POLICY_NODE -object represents one node in the tree. -.Sh RETURN VALUES -.Fn X509_policy_tree_level_count -returns the number of levels in the -.Fa tree -or 0 if the -.Fa tree -argument is -.Dv NULL . -If it is not 0, it equals the number of certificates in the -certification path the tree was created from, including both -the target certificate and the trust anchor. -.Pp -.Fn X509_policy_tree_get0_level -returns an internal pointer to the level of the -.Fa tree -with the given -.Fa index -or -.Dv NULL -if the -.Fa tree -argument is -.Dv NULL -or the -.Fa index -is less than 0 or greater than or equal to the number of levels in the -.Fa tree . -An -.Fa index -of 0 corresponds to the trust anchor -and the last level corresponds to the target certificate. -.Pp -.Fn X509_policy_level_node_count -returns the number of nodes on the -.Fa level , -including an -.Sy anyPolicy -node if it is present, or 0 if the -.Fa level -argument is -.Dv NULL . -.Pp -.Fn X509_policy_level_get0_node -returns an internal pointer to the node on the -.Fa level -with the given -.Fa index -or -.Dv NULL -if the -.Fa level -argument is -.Dv NULL -or the -.Fa index -is less than 0 or greater than or equal to the number of nodes on the level. -If an -.Sy anyPolicy -node is present on the level, it can be retrieved by passing an -.Fa index -of 0. -.Pp -.Fn X509_policy_node_get0_policy -returns an internal pointer to the -.Fa valid_policy -child object of the node or -.Dv NULL -if the -.Fa node -argument is -.Dv NULL . -It represents a single policy that is valid for the path -from the trust anchor to the certificate corresponding -to the level containing the -.Fa node . -.Pp -.Fn X509_policy_node_get0_qualifiers -returns an internal pointer to the -.Fa qualifier_set -child object of the node or -.Dv NULL -if the -.Fa node -argument is -.Dv NULL . -It contains the policy qualifiers associated with the -.Fa valid_policy -of the -.Fa node -in the certificate corresponding to the level containing the -.Fa node . -.Pp -.Fn X509_policy_node_get0_parent -returns -.Dv NULL -if the -.Fa node -argument is -.Dv NULL -or located on level 0. -Otherwise, it returns an internal pointer to the parent node of the -.Fa node -argument. -The parent node is always located on the previous level. -.Sh SEE ALSO -.Xr ASN1_OBJECT_new 3 , -.Xr OBJ_obj2txt 3 , -.Xr POLICYQUALINFO_new 3 , -.Xr STACK_OF 3 , -.Xr X509_new 3 , -.Xr X509_policy_check 3 , -.Xr X509_policy_tree_get0_policies 3 -.Sh STANDARDS -RFC 5280: Internet X.509 Public Key Infrastructure Certificate -and Certificate Revocation List (CRL) Profile, -section 6.1: Basic Path Validation -.Sh HISTORY -These function first appeared in OpenSSL 0.9.8 and have been available since -.Ox 4.5 .